Action Kit: House Democrats Question DHS (Department of Homeland Security), ICE Use of Surveillance Tech

Event Classification: Policy Change | Severity: MEDIUM

Affected Agencies: DHS, ICE, CBP, CISA, USSS

Key Contract Vehicles: DHS EAGLE II, OASIS+, GSA (General Services Administration) MAS, SEWP

---

Immediate Actions (This Week)

• [ ] Audit current DHS/ICE contracts for surveillance technology components — Review active task orders and subcontracts to identify any deliverables involving location tracking, biometrics, data analytics, or investigative support services that could fall under enhanced scrutiny
• [ ] Review privacy and civil liberties compliance documentation — Verify that all Privacy Impact Assessments (PIAs), System of Records Notices (SORNs), and Fourth Amendment compliance documentation are current and accessible for immediate production if requested
• [ ] Brief executive leadership and legal counsel — Schedule a 30-minute briefing on potential exposure, focusing on contracts with data collection, surveillance, or intelligence system components
• [ ] Inventory data handling procedures — Document current data retention, access controls, encryption standards, and deletion protocols for any systems that process personally identifiable information (PII) or law enforcement sensitive data
• [ ] Check subcontractor and teaming partner compliance posture — If you prime surveillance-related contracts, verify that subcontractors have adequate privacy controls and documentation in place

Short-Term Actions (30 Days)

• [ ] Strengthen privacy compliance documentation — Update or create comprehensive privacy compliance packages including: Privacy Act compliance statements, NIST Privacy Framework mappings, data flow diagrams, and civil liberties impact assessments for all relevant systems
• [ ] Engage with DHS contracting officers proactively — Schedule check-ins with CORs and KOs on active surveillance-related contracts to demonstrate transparency and discuss any anticipated guidance changes before they become requirements
• [ ] Develop enhanced oversight response protocols — Create templated responses for congressional inquiries, OIG audits, and GAO reviews specific to surveillance technology contracts, including acquisition justifications and legal authority documentation
• [ ] Review and update proposal boilerplate — Revise standard technical approach language for surveillance and data analytics proposals to emphasize privacy-by-design, civil liberties protections, constitutional compliance, and transparent oversight mechanisms
• [ ] Monitor for new DHS privacy guidance — Track DHS Privacy Office, ICE Privacy Office, and CBP Privacy Office for updated policies, directives, or compliance requirements that may emerge from the March 5 briefing deadline
• [ ] Assess competitive positioning — Analyze whether enhanced privacy requirements create differentiation opportunities or barriers to entry in your target market segments

Long-Term Actions (90+ Days)

• [ ] Implement privacy-enhancing technologies (PETs) roadmap — Develop technical capabilities in differential privacy, data minimization, anonymization, and privacy-preserving analytics to position for next-generation surveillance contracts with built-in civil liberties protections
• ] **Pursue FedRAMP (Federal Risk and Authorization Management Program) authorization for surveillance platforms** — If offering cloud-based surveillance or data analytics solutions, initiate or accelerate FedRAMP authorization to demonstrate commitment to federal security and privacy standards (reference our [Secure Operations Guide (/insights/secure-operations-guide) for implementation frameworks)
• [ ] Build privacy compliance into SDLC — Integrate NIST Privacy Framework controls into your software development lifecycle, including automated privacy testing, PIA generation, and civil liberties impact scoring for new features
• [ ] Develop congressional engagement strategy — For firms with significant DHS surveillance portfolios, consider proactive engagement with House and Senate oversight committees to demonstrate industry commitment to responsible technology deployment
• [ ] Create privacy center of excellence — Establish internal expertise in Fourth Amendment jurisprudence, Privacy Act compliance, and civil liberties frameworks to serve as a competitive differentiator and risk mitigation capability
• [ ] Prepare for potential procurement restrictions — Develop contingency plans if specific surveillance technologies or vendors face procurement limitations, including alternative technical approaches and supplier diversification strategies

Compliance Checklist

This event heightens scrutiny on existing compliance requirements. Verify your organization meets these standards for any DHS surveillance-related contracts:

Privacy Act Compliance

• [ ] Privacy Impact Assessments (PIAs) — Current PIAs completed for all systems collecting, maintaining, or disseminating PII, with annual reviews documented
• [ ] System of Records Notices (SORNs) — Published in Federal Register for any system retrievable by personal identifier
• [ ] Privacy Act Statements — Provided to individuals at point of collection, including authority, purpose, routine uses, and consequences of not providing information
• [ ] Data minimization practices — Documented procedures ensuring only necessary PII is collected and retained

Fourth Amendment & Civil Liberties

• [ ] Legal authority documentation — Clear statutory or regulatory authority documented for each surveillance capability
• [ ] Warrant and legal process compliance — Procedures ensuring surveillance tools are used only pursuant to valid legal process (warrants, subpoenas, court orders)
• [ ] Civil liberties impact assessments — Analysis of potential impacts on First and Fourth Amendment rights, with mitigation measures
• [ ] Oversight and audit mechanisms — Technical and procedural controls enabling independent oversight of system use

FISMA & NIST 800-53 Controls

• [ ] Privacy controls (Appendix J) — Implementation of NIST 800-53 Rev 5 privacy controls appropriate to system categorization
• [ ] Authority and Purpose (AP family) — Controls AP-1 (Policy and Procedures) and AP-2 (Purpose Specification) fully implemented
• [ ] Data Quality and Integrity (DI family) — Controls ensuring accuracy, relevance, timeliness, and completeness of PII
• [ ] Data Minimization and Retention (DM family) — Controls DM-1 (Minimization) and DM-2 (Retention and Disposal) with documented schedules
• [ ] Individual Participation and Redress (IP family) — Mechanisms for individuals to access and correct their information
• [ ] Security and Privacy (SC family) — Technical controls for PII confidentiality, including encryption at rest and in transit

DHS-Specific Requirements

• [ ] DHS Privacy Policy compliance — Adherence to DHS Directive 047-02 and Instruction Manual 047-02-001
• [ ] Fair Information Practice Principles (FIPPs) — Demonstrable implementation of all eight DHS FIPPs
• [ ] Privacy Threshold Analysis (PTA) — Completed for all IT systems to determine PIA requirements
• [ ] Privacy continuous monitoring — Ongoing assessment of privacy controls effectiveness

FedRAMP (for cloud-based surveillance systems)

• [ ] FedRAMP authorization — Moderate or High baseline authorization appropriate to data sensitivity
• [ ] Privacy addendum — FedRAMP privacy controls documented in System Security Plan (SSP)
• [ ] Continuous monitoring — Monthly vulnerability scanning and annual assessments maintained

NIST Privacy Framework

• [ ] Framework implementation — Documented mapping to Identify, Govern, Control, Communicate, and Protect functions
• [ ] Privacy risk assessment — Systematic evaluation of privacy risks using NIST methodology
• [ ] Privacy engineering objectives — Predictability, manageability, and disassociability built into system design

Section 508 Accessibility

• [ ] WCAG 2.0 Level AA compliance — All user interfaces accessible to individuals with disabilities
• [ ] Voluntary Product Accessibility Template (VPAT) — Current VPAT available for all surveillance technology products

Acquisition & Oversight Documentation

• [ ] Acquisition justification — Business case documenting need, alternatives considered, and cost-benefit analysis
• [ ] Oversight mechanisms — Technical audit logs, usage reporting, and independent review procedures documented
• [ ] Data sharing agreements — Memoranda of Understanding (MOUs) or Interconnection Security Agreements (ISAs) for any data sharing with other agencies
• [ ] Vendor management — Due diligence documentation for surveillance technology vendors, including security assessments

For comprehensive guidance on implementing these controls within your operational environment, consult our CMMC (Cybersecurity Maturity Model Certification) Compliance Guide (/insights/cmmc-compliance-guide) and CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide), which provide frameworks applicable to privacy-sensitive government contracting.

Resources

Congressional Oversight

• House Committee on Homeland Security - Oversight Materials (https://homeland.house.gov/activities/oversight/)
• Congressional Research Service: Privacy and Civil Liberties Oversight (https://crsreports.congress.gov)

DHS Privacy Guidance

• DHS Privacy Office Policy Library (https://www.dhs.gov/privacy-policy-guidance)
• DHS Directive 047-02: Privacy Policy (https://www.dhs.gov/publication/privacy-policy-directive-047-02)
• DHS Instruction Manual 047-02-001: Privacy Policy and Compliance (https://www.dhs.gov/publication/privacy-policy-and-compliance-instruction-manual)

Privacy Act & Fourth Amendment

• Privacy Act of 1974 (5 U.S.C. § 552a) (https://www.justice.gov/opcl/privacy-act-1974)
• DOJ Privacy Act Implementation Guidelines (https://www.justice.gov/opcl/privacy-act-implementation-guidelines-and-records-management)
• Fourth Amendment Jurisprudence - DOJ Resources (https://www.justice.gov/jm/criminal-resource-manual-2001-fourth-amendment-search-and-seizure)

NIST Privacy Standards

• NIST Privacy Framework 1.0 (https://www.nist.gov/privacy-framework)
• NIST SP 800-53 (NIST Special Publication 800-53) Rev 5 - Security and Privacy Controls (https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
• NIST SP 800-122 - Guide to Protecting PII (https://csrc.nist.gov/publications/detail/sp/800-122/final)

FedRAMP

• FedRAMP Privacy Requirements (https://www.fedramp.gov/assets/resources/documents/Agency_Guide_for_FedRAMP_Authorizations.pdf)
• FedRAMP Marketplace - Authorized Cloud Services (https://marketplace.fedramp.gov/)

Contract Vehicles

• DHS EAGLE II Information (https://www.dhs.gov/science-and-technology/eagle)
• GSA OASIS+ Program (https://www.gsa.gov/buy-through-us/products-and-services/professional-services/oasis-plus)
• GSA Multiple Award Schedule (MAS) (https://www.gsa.gov/buy-through-us/purchasing-programs/gsa-schedules)

How Cabrillo Club Automates This

Cabrillo Signals War Room has already detected this congressional oversight development and delivered this briefing to your dashboard within minutes of the news breaking. The War Room continuously monitors House and Senate committee activities, DHS policy announcements, Privacy Office guidance updates, and regulatory changes across 47 federal sources. You didn't need to manually track congressional hearings or set up Google alerts — the system identified this as a MEDIUM severity event affecting surveillance technology contractors and automatically generated this Action Kit with tailored compliance checklists for your specific contract portfolio.

Cabrillo Signals Match Engine is now automatically rescoring opportunities in your pipeline that involve surveillance technology, data analytics, or law enforcement support services for DHS components. If you've been tracking RFIs or upcoming recompetes for DHS EAGLE II task orders in NAICS 541513 (Computer Facilities Management) or 541690 (Scientific and Technical Consulting), those match scores are being updated in real time to reflect the heightened privacy compliance emphasis. The engine factors in your organization's documented privacy capabilities, FedRAMP status, and past performance with privacy-sensitive systems to recalculate win probability.

Cabrillo Signals Intelligence Hub allows you to configure saved searches that will alert you when follow-on developments emerge from this event. Set up alerts for: (1) new DHS Privacy Office guidance documents, (2) SAM.gov (System for Award Management) solicitations from ICE or CBP containing keywords like "surveillance," "location tracking," or "privacy-enhancing technologies," and (3) contract awards to competitors in the affected NAICS codes. The Intelligence Hub tracks the March 5 briefing deadline and will notify you when transcripts, follow-up letters, or policy changes are published by the House Committee on Homeland Security.

Proposal Studio (Proposal OS) helps you respond to RFPs that now carry heightened privacy expectations. When you're building a proposal for a DHS surveillance technology contract, Proposal OS automatically generates compliance matrices mapping your solution to NIST Privacy Framework controls, Privacy Act requirements, and Fourth Amendment safeguards. The system maintains your win theme library with privacy-by-design messaging and can produce first-draft technical approaches that emphasize civil liberties protections, transparent oversight mechanisms, and data minimization — all using your organization's past performance data and documented privacy capabilities. The bid/no-bid decision engine now factors in this congressional scrutiny, helping you assess whether you have sufficient privacy compliance infrastructure to be competitive.

Explore these features in your Cabrillo Club dashboard to stay ahead of the evolving privacy compliance landscape in DHS surveillance contracting. The platform transforms reactive compliance into proactive competitive advantage.

---